Recently, many friends have been concerned about whether certain browser extensions have security risks, especially the risk of excessive permissions. Interestingly, many people underestimate the risk of malicious extensions causing harm, while others exaggerate the risk of malicious extensions causing harm I have written browser extensions for a long time (one of which is open source in my GitHub repository and has expired due to black cookies), and have also conducted security audits on certain wallet extensions, so I am considered a fairly knowledgeable security personnel. An extension should be malicious, such as stealing cookies from the target page, privacy information in localStorage (such as account permission information, private key information), DOM tampering, request hijacking, clipboard content retrieval, and so on. Just configure the relevant permissions in manifestion.json. If users do not pay attention to the extension permission application, it will be troublesome. But if an extension wants to do evil, it is not easy to directly engage in other extensions, such as well-known wallet extensions... because the sandbox is isolated... For example, it is unlikely to directly steal the private key/mnemonic information stored in the wallet extension, unless there is a stupid vulnerability that has been maliciously exploited. If you are concerned about the permission risk of a certain extension, it is actually easy to determine this risk. After installing the extension, you can choose not to use it first. Look at the extension ID, search for the local path of the computer, find the manifestion.json file in the root directory of the extension, and directly throw the file content to AI for permission risk interpretation. This step cannot be operated, and it is also very convenient to directly ask AI... for example, DeepSeek/GPT/Grok/Claude, etc. If you have a mindset of isolation, you can consider enabling Chrome Profile separately for unfamiliar extensions, at least to control their wrongdoing. Moreover, if the extension is exhausted, it can be used up chrome://extensions/ Most extensions that are closed inside do not need to be kept open all the time. The key point of my writing is actually to guide everyone to be better at using AI (a few years ago, they were good at using search engines). AI is not a problem in dealing with these basic security issues